Could a Weak Link in the Chain Hamper Retailer Implementation of PCI DSS Version 3.2?

The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide standard set up to help businesses process card payments securely and reduce card fraud through tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle.

Due to the sensitivity of the data that is handled in this process, it’s seen as a high priority for retailers to adopt PCI DSS. If a retailer isn’t PCI DSS compliant and loses customer card data, they risk the possibility of incurring Card Scheme fines, and may also be liable for the fraud losses incurred against these cards and the operational costs associated with replacing the accounts.

P2PE encrypts card data from PED to acquirer, and therefore significantly reduces the DSS target for evaluation, and so many retailers are also adopting P2PE to simplify and streamline the process to implement DSS.

PCI DSS Version 3.2

The PCI DSS’s version 3.2 is expected to be released within the next month, giving all payment card companies a push in the direction of the very latest and safest security system. The update release – which was pushed ahead in lieu of its traditional autumn/winter release, primarily in order to facilitate the revised migration dates for SSL/early TLS – has been designed with particular focus on the threat landscape and minimizing compromise trends.

This update will provide companies and their millions of customers with renewed confidence in their security system.

On the other hand, application of the PCI DSS’s latest system is not a quick fix, but a means to an end. The PCI DSS lay out their regulations as a minimum security standard; it is up to companies to ensure their own compliance. According to last year’s compliance report by Verizon, around 80% of businesses failed their compliance assessment. Not only is this a blow to businesses’ internal processes, as their networks are exposed to cyber-criminals, but to custom and profit too.

In fact, the same report states that 69% of customers would be discouraged from doing business with a breached company. With about the same percentage of all transactions being via payment card, can anybody really afford the financial, regulatory and legal risk of being non-compliant?

The Weak Link in the Chain?

To protect each PED’s encryption key, a formal regime of ownership, monitoring and documentation is required throughout the PEDs’ lifecycle. However, the weak link in the chain is often in the deployment and ongoing servicing of PEDs.

According to Ilia Kolochenko of High-Tech Bridge Cybersecurity, the majority of non-compliance instances are not down to faults in security systems, but lack of proper maintenance and regulation. This is why the FTC has been upping its game in terms of assessment.

Remember how your teacher would always tell the class in advance to wear their best uniform and be very well behaved when the inspector was coming to visit and wondering what the point was of announcing an inspection, when it allowed for time to fill in the gaps people knew were there all year round? The exact same applies to PCI DSS compliance, and they’re looking to catch people out. Security is a huge issue, and the ramifications for businesses who do not take the issue seriously are considerable.

While Troy Leach of the PCI identifies DSS as a ‘mature standard’ which no longer requires such significant updates, the hard work is now down to businesses themselves. Full PCI DSS compliance is not just about the safety of the customers whose payment cards are processed through the retailer’s system, but the safety of the business, and its network, employees and reputation.

Ultimately, P2PE is about secure payments and the outsource of the payment processing database from the retailer to an external organization but for a retailer, this is also about minimizing their exposure to PCI compliance and the ability in the future for tokenization of the card data for marketing and loyalty purposes.

Whilst there is a lot of detail to discuss to ensure they get this right, actually, they mustn’t forget to consider the peripheral logistics around the service. It’s important to always remain aware that a logistics piece not running properly and professionally could undo all the good work relating to PCI DSS compliance that’s been done elsewhere.